{ "id": "3c2fde55-821d-4a10-aa81-a9505772ed43", "created_at": "2026-04-06T00:08:18.123748Z", "updated_at": "2026-04-10T13:11:24.386346Z", "deleted_at": null, "sha1_hash": "477e736640d49df105b6800976f9eec86972d547", "title": "Fake Interview: The New Activity of Charming Kitten - Certfa Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87988, "plain_text": "Fake Interview: The New Activity of Charming Kitten - Certfa Lab\r\nBy Certfa Lab\r\nArchived: 2026-04-05 16:56:06 UTC\r\nFake Interview: The New Activity of Charming Kitten\r\nIntroduction\r\nCertfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group\r\nwho has a close relationship with Iran’s state and Intelligence services. According to our investigation, these new\r\nattacks have targeted journalists, political and human rights activists. These phishing attacks are in line with the\r\nprevious activities of the group that companies like ClearSky2 and Microsoft3 have reported in detail in\r\nSeptember and October 2019.\r\nAs we previously reported the activities of the Charming Kitten in 20184, our research indicates the Charming\r\nKitten is still trying to target private and government institutions, think tanks and academic institutions,\r\norganizations with ties to the Baha’i community, and many others in European countries, the United States, United\r\nKingdom, Saudi Arabia, to extract information from them.\r\nOur findings show that these new attacks by Charming Kitten are focused on stealing email account information\r\nof the victims and finding information about their contacts/networks. Also, our research shows that the group has\r\nrecently participated in designing a malware for Windows machines but the spectrum and the number of its targets\r\nis still not clear for us.\r\nPhishing via Fake Interviews\r\nPhishing is one of the main tactics that has been used by the Charming Kitten, and social engineering and fake\r\nemails are the usual methods of executing it. In this campaign, the Charming Kitten has used the identity of a\r\nformer Wall Street Journal (WSJ) journalist and created a fake interview scenario to target their victims. It must be\r\nnoted that in the recent months, the group has used scenarios like “Invitation to a Deutsche Welle Webinar” and\r\n“CNN Interview” with the related topics of Iran and international affairs in order to trick their targets.\r\nStep 1 - Gaining Trust: In one of the cases, the hackers forged the New York Times journalist Farnaz Fassihi’s\r\nidentity as a Wall Street Journal reporter - where she used to work - to send interview request emails to victims\r\nand guide them to their phishing websites. In the first step of the fake interview, emails were sent from\r\nfarnaz.fassihi [at] gmail [dot] com to gain the victims’ trust. The below image is a sample of the content.\r\nA sample of the fake interview request via an email\r\nFigure 1. A sample of the fake interview request via an email\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 1 of 7\n\nTranslation:\r\nHello *** ***** ******\r\nMy name is Farnaz Fasihi. I am a journalist at the Wall Street Journal newspaper.\r\nThe Middle East team of the WSJ intends to introduce successful non-local individuals in developed\r\ncountries. Your activities in the fields of research and philosophy of science led me to introduce you as\r\na successful Iranian. The director of the Middle East team asked us to set up an interview with you and\r\nshare some of your important achievements with our audience. This interview could motivate the youth\r\nof our beloved country to discover their talents and move toward success.\r\nNeedless to say, this interview is a great honor for me personally, and I urge you to accept my invitation\r\nfor the interview.\r\nThe questions are designed professionally by a group of my colleagues and the resulting interview will\r\nbe published in the Weekly Interview section of the WSJ. I will send you the questions and\r\nrequirements of the interview as soon as you accept.\r\n*Footnote: Non-local refers to people who were born in other countries.\r\nThank you for your kindness and attention.\r\nFarnaz Fasihi\r\nIn these emails, all the links in the footnotes (Figure 2), including social media links, WSJ and Dow Jones\r\nwebsites, are all in the short URL format. As a result, by clicking on them, the hackers can guide the victim to\r\nlegitimate addresses while getting basic information about the victim’s device such as IP address, the type of\r\nOperating System, and the browser. This is a common method of gathering information by hackers in order to\r\nprepare for the main attacks based on the victims’ devices.\r\nDetails of short URL that allows hackers to collect basic information about the target\r\nFigure 2. Details of short URL that allows hackers to collect basic information about the target\r\n5\r\nStep 2, The Main Attack: After communication and relative trust are established through the initial email,\r\nhackers send their victim an exclusive link as a file that contains the interview questions. According to our\r\nsamples, the Charming Kitten has been using a page that is hosted on Google Sites (Figure 3). This method is a\r\nrelatively new tactic that has been widely used in phishing attacks by hackers in the past year6 in order to make\r\nthe targets trust the destination domain, for example this URL: hxxps://sites.google[.]com/view/the-wall-street/xxxx. By using this tactic, the hacker can evade the spam detections.\r\nA sample of fake WSJ page that is hosted on Google Site.\r\nFigure 3. A sample of fake WSJ page that is hosted on Google Site.\r\nAfter clicking the download button on the Google Site page (Figure 3), the target is sent to another fake page in\r\ntwo-step-checkup[.]site domain where login credential details of his/her email such as the password and two factor\r\nauthentication (2FA) code are requested by phishing kits.\r\nThe structure of the phishing page is listed below:\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 2 of 7\n\nhxxps://two-step-checkup[.]site/securemail/secureLogin/challenge/url?ucode=xxxx-xxxx\u0026service=mailservice\u0026type=password\r\nhxxps://two-step-checkup[.]site/securemail/secureLogin/challenge/url?ucode=xxxx-xxxx\u0026service=mailservice\u0026type=smscode\r\nhxxps://two-step-checkup[.]site/ymail/secureLogin/challenge/url?ucode=xxxx-xxxx\u0026service=mailservice\u0026type=password\r\nhxxps://two-step-checkup[.]site/ymail/secureLogin/challenge/url?ucode=xxxx-xxxx\u0026service=mailservice\u0026type=smscode\r\nUsing phishing kits such as Modlishka7 to steal passwords and two factor authentication codes is an important\r\nstep in targeted attacks, which has been widely used by hackers in the past year and many reports have been\r\nwritten about them8. As mentioned, Certfa Lab published an extended report in 2018 about the Charming Kitten\r\nand their use of this method. Figure 4 is a sample of the phishing page that was used to steal the SMS\r\nauthentication code.\r\nA sample of a phishing attack to steal 2FA code via SMS\r\nFigure 4. A sample of a phishing attack to steal 2FA code via SMS\r\nMalware Development\r\nOne important point that caught our attention in this campaign was using “pdfreader.exe”, a piece of malware with\r\na backdoor feature. Our investigation shows this file was first uploaded in VirusTotal by an anonymous user on 3\r\nOctober 20199.\r\nThe technical assessment of the malware’s function shows that the developers of malware are directly in contact\r\nwith the people behind the recent phishing attacks, and it could be interpreted as all these malicious activities\r\nbeing done by one group, which we believe to be the Charming Kitten.\r\npdfReader.exe Function: This malware, which is identified as a Win32/Backdoor by antiviruses, is a mid-level\r\npiece of malware - due to lack of design sophistication - with various harmful capabilities. Our assessment shows\r\nthe malware causes changes in the Windows’ Firewall and Registry settings in order to run automatically itself and\r\ngathers information from the victim’s device and sends it to its developer. This feature allows the hackers to run\r\nnew malware and spyware remotely on the victim’s target. Figure 5 shows the process graph of this malware.\r\nThe process graph of pdfReader.exe\r\nFigure 5. The process graph of pdfReader.exe\r\npdfReader.exe Connections: A noteworthy point about this malware is its connection and interaction with\r\n51.89.237.234 on port 80. Before its original version was uploaded on VirusTotal on 03 October 2019\r\n11:00:25GMT, pdfreader.exe was submitted on VirusTotal as a pdfreader.zip four hours earlier, on 3 October 2019\r\n07:14:22GMT, which can be seen in the IP history 51.89.237.233 (Figure 6). Also, the server with IP address of\r\n51.89.237.234 is used to host “software-updating-managers[.]site” and “malcolmrifkind[.]site”.\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 3 of 7\n\nIP history of 51.89.237.233 on VirusTotal\r\nFigure 6. IP history of 51.89.237.233 on VirusTotal\r\nOur research on the history of phishing websites in recent attacks, such as two-step-checkup[.]site, shows the\r\nattackers use “ns11025.ztomy[.]com” and “ns21025.ztomy[.]com” as the Name Servers (NS) on 14 October 2019.\r\nThese servers were previously used for other phishing websites by the Charming Kitten.\r\nThe similarities between the method of managing and sending HTTP requests in “two-step-checkup[.]site” server\r\nwith the latest techniques used by this group is further evidence of Charming Kitten’s connection to these attacks.\r\nIn this technique, if sent requests to the host server of the phishing kit are denied, the user is directed to a\r\nlegitimate website like Google, Yahoo!, or Outlook by “301 Moved Permanently” and “Found redirect 302”\r\nresponses. As a result, this method makes it harder for different pages and sections of phishing websites to be\r\nexposed to the public.\r\nFigure 7 is a sample of public requests from “two-step-checkup[.]site” that has been redirected to\r\noutlook.live.com. In this scenario, the user does not have a valid request according the phishing kit, therefore, the\r\nreal webpage - not the phishing one - is shown to the target.\r\nManagement and redirecting invalid request on two-step-checkup[.]site\r\nFigure 7. Management and redirecting invalid request on two-step-checkup[.]site\r\n10\r\nAnother noteworthy point about the footprints of the Charming Kitten in this campaign is the similar settings that\r\nhave been used for servers. Our research shows that in the second half of 2019, most servers used by the\r\nCharming Kitten were based on Windows machines and OpenSSL, PHP, Apache, and Microsoft-HTTP API or\r\nsimilar versions. Although this point is not enough to prove this claim, the default settings in response to HTTP\r\nrequests can be the group’s footprint. A few examples are listed below.\r\nCharming Kitten similar servers settings\r\nThe Range of Attacks\r\nAssessments of the network infrastructure that was used in these attacks shows the Charming Kitten uses a variety\r\nof servers and domains to trap its targets. Some of these servers and domains are related to the recent attacks and\r\nsome occurred during the second half of 2019. Table 1 lists the latest domains and IPs of the Charming Kitten and\r\nTable 2 lists the related domains and IPs.\r\nList of latest domains and IPs of the Charming Kitten\r\nTable 1. List of latest domains and IPs of the Charming Kitten\r\nList of related domains and IPs of the Charming Kitten\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 4 of 7\n\nTable 2. List of related domains and IPs of the Charming Kitten\r\n11\r\nConclusion\r\nThis new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their\r\ngroup. For example, we identified similar settings for the servers used in this attack with their previous\r\ncampaigns.\r\nThe main focus of this phishing campaign was stealing email account information of the victims, and finding\r\ninformation about their contacts/networks. One example detailed in this report is there impersonation of public\r\nfigures such as a WSJ reporter.\r\nThe Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the\r\ndevelopment of a series of malware for their future phishing attack campaign.\r\nIOCs\r\n51.38.87[.]199\r\n51.89.237[.]235\r\n51.89.237[.]233\r\n51.89.237[.]234\r\n51.255.157[.]110\r\n185.141.63[.]8\r\n185.141.63[.]135\r\n185.141.63[.]156\r\n185.141.63[.]157\r\n185.141.63[.]160\r\n185.141.63[.]161\r\n185.141.63[.]162\r\n185.141.63[.]170\r\n185.141.63[.]172\r\nfinance-usbnc[.]info\r\nservice-activity-checkup[.]site\r\ntwo-step-checkup[.]site\r\nservice-issues[.]site\r\nphonechallenges-submit[.]site\r\nmalcolmrifkind[.]site\r\nsoftware-updating-managers[.]site\r\ncustomers-service.ddns[.]net\r\nyah00[.]site\r\ncpanel-services[.]site\r\ninstagram-com[.]site\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 5 of 7\n\nrecovery-options[.]site\r\nskynevvs[.]com\r\nleslettrespersanes[.]net\r\ninztaqram[.]ga\r\nniaconucil[.]org\r\ndrive-accounts[.]com\r\nunirsd[.]com\r\nisis-online[.]net\r\naccounts-drive[.]com\r\nw3-schools[.]org\r\nseisolarpros[.]org\r\nbahaius[.]info\r\nacconut-verify[.]com\r\ncustomers-activities[.]site\r\nsystem-services[.]site\r\n3d67ce57aab4f7f917cf87c724ed7dab\r\n542128ab98bda5ea139b169200a50bce\r\n1. Mitre, “Charming Kitten”. Accessed December 17, 2019. https://s.certfa.com/pccOGX ↩︎\r\n2. ClearSky Cyber Security (2019), “The Kittens Are Back in Town Charming Kitten – Campaign Against\r\nAcademic Researchers”. Accessed December 10, 2019. https://s.certfa.com/JPUSoz\r\nClearSky Cyber Security (2019), “The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps\r\nGoing on, Using New Impersonation Methods”. Accessed December 10, 2019. https://s.certfa.com/z0NdFI\r\n↩︎\r\n3. Microsoft (2019), “Recent cyberattacks require us all to be vigilant”. Accessed December 16, 2019.\r\nhttps://s.certfa.com/Il3VLH ↩︎\r\n4. Certfa Lab (2019). “The Return of The Charming Kitten”. Accessed December 12, 2019.\r\nhttps://s.certfa.com/i8Ad16 ↩︎\r\n5. URLScan.io, “A Shorten link sample to collect basic info of victims”. Accessed December 16, 2019.\r\nhttps://s.certfa.com/x8IsaI ↩︎\r\n6. Certfa Lab (2019). “Weaponizing of Google Cloud Storage for phishing attacks”. Accessed December 16,\r\n2019. https://s.certfa.com/5myHcV ↩︎\r\n7. Latest Hacking News (2019). “Modlishka – The Tool That Can Bypass Two-Factor Authentication Via\r\nPhishing”. Accessed December 17, 2019. https://s.certfa.com/iIJQbl ↩︎\r\n8. Certfa Lab (2019). “The Return of The Charming Kitten”. Accessed December 12, 2019.\r\nhttps://s.certfa.com/i8Ad16 ↩︎\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 6 of 7\n\n9. First Submission of the sample on VirusTotal on 3 October 2019 at 11:00 GMT. Accessed December 12,\r\n2019. https://s.certfa.com/hZxpoH ↩︎\r\n10. URLScan.io, “Redirecting invalid request on two-step-checkup[.]site”. Accessed December 16, 2019.\r\nhttps://s.certfa.com/oPa1mY ↩︎\r\n11. ClearSky Cyber Security (2019), “The Kittens Are Back in Town Charming Kitten – Campaign Against\r\nAcademic Researchers”. Accessed December 10, 2019. https://s.certfa.com/JPUSoz\r\nClearSky Cyber Security (2019), “The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps\r\nGoing on, Using New Impersonation Methods”. Accessed December 10, 2019. https://s.certfa.com/z0NdFI\r\n↩︎\r\nSource: https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nhttps://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" ], "report_names": [ "fake-interview-the-new-activity-of-charming-kitten" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/477e736640d49df105b6800976f9eec86972d547.pdf", "text": "https://archive.orkl.eu/477e736640d49df105b6800976f9eec86972d547.txt", "img": "https://archive.orkl.eu/477e736640d49df105b6800976f9eec86972d547.jpg" } }